New PC virus makes the rounds

Subject: New PC virus makes the rounds
From: Tim O'Connor (
Date: Tue Sep 18 2001 - 17:24:44 GMT


(I've spent the better part of my day dealing with this in one way or
another, and wanted to let the word out through the list so that you
can, we hope, avoid getting hit by this, and certainly avoid spreading
it to the list.)

This is part of a dispatch from Reuters about a new computer worm:

        (Reuters) - A damaging new computer worm was spreading
        like wildfire across the Internet on Tuesday, hitting
        both home PC users and commercial servers, in an outbreak
        that could prove more widespread and costly than the Code
        Red viruses, computer security experts said.

        Known as ``Nimda,'' which spells admin backwards, the
        worm spreads by sending infected e-mails and also appears
        able to infect Web sites, so when a user visits a
        compromised Web site, the browser -- if it has not been
        patched -- can spread the worm to a PC, analysts said.

        So far, it appears that Nimda arrives in e-mail without
        a subject line and containing an attachment titled
        ``readme.exe,'' experts said.

Let me add a few annotations:

If you run Windows 9x, Windows NT, Windows ME, or Windows 2000, and
you have IIS installed, then you are at risk for infection. If you
and make sure the software is monitoring your machine, so that you
stay clean. Currently, Macintosh computers are not being infected by
this worm. However, don't let this lull you into a false sense of
security. Keep those antivirus definitions current!

In addition, when Microsoft releases patches for your operating system
or the software you use, get in the habit of applying the patches
promptly. In the case of "Nimda," one of the pathways by which the
worm gets into a machine was closed by a patch issued by Microsoft
about a year ago. However, if the patch was never applied, then the
machine is vulnerable.

Here are some good sites for information about the present incident
(each is one long line that you can paste into your browser):

According to NAI (an antivirus vendor), Microsoft has made a tool
available to help in cleaning an infected machine. It can be found

The real target is not so much the browser, as the Reuters article
says above, but IIS and mail software. Once IIS gets successfully
attacked, then the worm uses the infected machine to stage further
attacks on vulnerable systems. One security vendor estimates that
there are more than one million vulnerable systems out there,
waiting to be hacked by this worm. The worm not only attacks YOUR
system; it pounds away at potential targets at a devastating rate,
chewing up enormous amounts of bandwidth. So, even when it attacks
a system that is not vulnerable, it uses up network resources.

You may find yourself getting a call from your system or network
administrator to say that your machine is launching attacks. The
scary part is that you may have no idea that anything untoward is
happening. (If you're on a slow connection, such as a dialup modem,
you may notice a diminished response time. But if you're on a fast
network, you may not notice any slowdown; your network administrator
most likely will, though!)

If your machine is clean and you can uninstall IIS, you will reduce
the current risk and future IIS-related risks. IIS is perhaps one of
the most attacked (and SUCCESSFULLY attacked) software products in use
today, according to many observers. If you don't need it, uninstall
it and save yourself a lot of heartache.

The browser comes into play because if a web site is successfully
attacked, a contaminated file gets put on the site such that a
browser downloads a file and executes it. The file is called
readme.eml and appears to the browser to be a sound file.

The worm also spreads by email. If (as the article above says) you
receive a message with no subject line, and an attachment called
"readme.exe," DO NOT OPEN THE ATTACHMENT. Delete the message and
the attachment immediately, and empty your trash immediately.
If a PC is using a mailer like Outlook, the worm rummages through the
address book, harvests addresses, and tries to infect each of those
addresses by sending infected mail. It also browses through a web
browser's cache and attempts to mail itself to addresses found in
the cache. Outlook is the most-attacked mailer; one report says
that merely OPENING the infected mail can cause the worm to spread,
though this report has not been widely confirmed; other mailers, such
as Eudora, require you to actually double-click on the attachment to
cause an infection. Some independent reports also indicate that the
"From" address is sometimes forged, so the apparent sender may not be
the actual sender of the infected mail.

This is one of the most aggressive worms we've seen on the Internet,
ever. In some cases it drives the use of a network from normal levels
to 100% of the network's capacity.

I regret sending such a long message, but want to get the word out;
I also hope to protect the list from getting accidentally hit by an
infected machine.

Best of luck with your PCs.

--tim o'connor

* Unsubscribing? Mail with the message

This archive was generated by hypermail 2b25 : Mon Nov 12 2001 - 17:21:40 GMT